8317374: Add Let's Encrypt ISRG Root X2

[jerboaa]

Backport so as to add the Let's Encrypt ISRG Root X2 CA. Applies clean after path shuffeling. Please review!

Testing:

• GHA
• jdk/test/security/infra/java/security/cert/CertPathValidator and jdk/test/sun/security/lib/cacerts jtreg tests.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• JDK-8317374 needs maintainer approval

Issue

• JDK-8317374: Add Let's Encrypt ISRG Root X2 (Enhancement - P2 - Approved)

Reviewers

• Paul Hohensee (@phohensee - Reviewer) ⚠️ Review applies to 71a0adac
• Andrew John Hughes (@gnu-andrew - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/398/head:pull/398
$ git checkout pull/398

Update a local copy of the PR:
$ git checkout pull/398
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/398/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 398

View PR using the GUI difftool:
$ git pr show -t 398

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/398.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back sgehwolf! A progress list of the required criteria for merging this PR into pr/397 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[jerboaa]

Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#actalisauthenticationrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#amazonrootca4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#buypassclass3ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#certignarootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodoeccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#comodorsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcaec1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#entrustrootcag4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsigneccrootcar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#globalsignrootcar6
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#godaddyrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootcar2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#gtsrootecccar4
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#letsencryptisrgx2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftecc2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#microsoftrsa2017
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca1g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca2g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#quovadisrootca3g3
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrooteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootevrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#sslrootrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#starfieldrootg2ca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliarootcav2
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#twcaglobalrootca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrustrsaca
Passed: security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/HaricaCA.java
Passed: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
Passed: sun/security/lib/cacerts/VerifyCACerts.java
Test results: passed: 40

[mlbridge]

Webrevs

• 04: Full (59a87806)
• 03: Full (d26d6e9a)
• 02: Full (a49e7cee)
• 01: Full - Incremental (71a0adac)
• 00: Full (71a0adac)

[phohensee]

linux-x86 failure appears unrelated.

[openjdk]

@jerboaa Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[openjdk]

@jerboaa Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[openjdk-notifier]

The parent pull request that this pull request depends on has now been integrated and the target branch of this pull request has been updated. This means that changes from the dependent pull request can start to show up as belonging to this pull request, which may be confusing for reviewers. To remedy this situation, simply merge the latest changes from the new target branch into this pull request by running commands similar to these in the local repository for your personal fork:

git checkout jdk-8317374-letsencrypt-isrg2-root-x2
git fetch https://git.openjdk.org/jdk8u-dev.git master
git merge FETCH_HEAD
# if there are conflicts, follow the instructions given by git merge
git commit -m "Merge master"
git push

[openjdk]

⚠️ @jerboaa This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[gnu-andrew]

Waiting for rebase now that #397 is integrated

[jerboaa]

Waiting for rebase now that #397 is integrated

Done.

[openjdk]

@jerboaa Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[gnu-andrew]

Thanks. Patch looks clean (sans paths) and tests pass.

[jerboaa]

Linux x64 test failure of security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca seems infra flakiness. We have seen it fail a couple of times now:

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR

[gnu-andrew]

Linux x64 test failure of security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#usertrusteccca seems infra flakiness. We have seen it fail a couple of times now:

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR

Thanks, I hadn't seen that one yet. I don't think it's a blocker for this, as it's not one of the certificates being added.

[gnu-andrew]

/approve yes

[openjdk]

@gnu-andrew
8317374: The approval request has been approved.

[openjdk]

@jerboaa This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8317374: Add Let's Encrypt ISRG Root X2

Reviewed-by: phh, andrew

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[jerboaa]

/integrate

[openjdk]

Going to push as commit 4d1c3a6.

[openjdk]

@jerboaa Pushed as commit 4d1c3a6.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.